One in five willing to make Facebook friends with complete strangers

Facebook users are remarkably willing to form connections to people they …

Researchers from the University of British Columbia Vancouver infiltrated Facebook with a set of bot-controlled fake accounts, sent out a load of friend requests, got a load of responses, and then harvested 250GB of personal data. They managed this in spite of Facebook's defense measures such as CAPTCHAs if an account tries to add too many friends, and the "Facebook Immune System" (FIS), that detects suspicious, spider-like activity and blocks it.

In total, 102 bots were used. These sent friend requests to 5,053 random users with public accounts, 976 of which accepted them. The bots then sent a further 3,517 requests to friends of those users; 2,079 of these were accepted. Facebook Immune System blocked about 20 percent of accounts after users reported those accounts for spamming. The result was a network of 3,055 profiles, with a further 1,085,785 friends-of-friends in the extended network.

With these connections made, the researchers then tried to harvest information that could have monetary value: the extensive personal information contained in Facebook profiles. They then compared the amount of data accessible before infiltration (i.e. that made available to the public) and that after (i.e. that made available to friends or friends-of-friends). While some information was widely publicized—almost everyone who included their gender on their profile made it public—other details, such as postal and e-mail addresses, became much more accessible after friendship was granted: for people directly friended by the bots, availability of e-mail went from 2.4 percent (unfriended) to 71.8 percent (friended), and postal addresses from 0.9 percent to 19.0 percent.

Facebook disputes the value of the study, arguing that FIS actually blocked more accounts more quickly than the researchers claim, and that the bots were given more leeway than normal accounts because they were using a single university IP address. The fact that friends can access more personal data than strangers is in any case unsurprising: that's rather the point of being Facebook friends.

But what we did find weird was the number of people willing to add complete strangers as friends. The initial batch of friend requests had about a 20 percent success rate. These were unsolicited friend requests between people who couldn't possibly have relationships, and yet one in five people were willing to make the connection. If that complete stranger had a mutual friend in common, the success rate went up to about 60 percent.

Much is made of Facebook privacy and control. The site has been criticized for making it too hard to secure personal data, and be too liberal with its default policies. In response to these criticisms, it has made the privacy and security system easier to use and with more sensible defaults.

But these controls are irrelevant if people are willing to add random bots, and hence give away access to their "friends-only" private information. With its focus on data harvesting, the study didn't examine why people might add such accounts as friends, but plainly there are many Facebook users who are more interested in having the connection than whether they actually know someone. Facebook users are clearly taking the time to consider how widely their data is shared, and hiding information from non-friends. But when looking at whom the data is shared with, much of that same care and attention appears to be missing.

When in real life, approaching someone and asking them if they'd "like to be on their friends list" has a one-in-five chance of resulting in the can of pepper spray being drawn. It's a pretty remarkable contrast...

there have been some instances where i have friended someone by accident.

can't recall the situations that arise where the text is confusing or placed next to another item i meant to click. but anyway, they usually stay as friends because i can't be asked to go through and delete them.

as well i should mention i do not upload anything i consider truly private to facebook so i feel no risk.

I've been amazed with the number of (apparent) "escorts" that guys friend on Facebook. Women with a very hot profile pic, but a very sterile profile (no family, few if any posts and some common pop culture "likes" to get their profile pic in circulation). You can find some interesting things looking at friends of friends of friends and so forth.

Researchers from the University of British Columbia Vancouver infiltrated Facebook with a set of bot-controlled fake accounts, sent out a load of friend requests, got a load of responses, and then harvested 250GB of personal data.

Researchers from the University of British Columbia Vancouver infiltrated Facebook with a set of bot-controlled fake accounts, sent out a load of friend requests, got a load of responses, and then harvested 250GB of personal data.

So THAT explains all the spam in my folder.

No, that just puts into question FB's claim of "nearly 1 billion people using this service". I'm willing to bet less than one quarter of that number are real people (maybe even far fewer) and the rest are just bots, advertising accounts and corporate (non-person) pages.

I don't see the issue. People are free to give up their personal information to whoever they want. Why the concern over people who choose to freely let strangers view it? Perhaps they don't feel the information in FB is sensitive to them.

What's important is that a site like Facebook provide the tools for people to easily protect information if they wish, and that they protect people who can't make the informed decision themselves, like children.

When in real life, approaching someone and asking them if they'd "like to be on their friends list" has a one-in-five chance of resulting in the can of pepper spray being drawn. It's a pretty remarkable contrast...

Or someone following someone around the mall with a notebook and making note of every store they've entered and every item they've bought. They'd freak out and call the police!

That sort of thing goes on online every day, all the time, to almost everyone. All but the hardcode nerds are okay with that.

Remarkable.

People flail when some business loses their information.... and yet they give it away for free for the purposes of data mining and targeted ads (Facebook).

I am not likely to add people I know to my facebook. People I don't know have 0 chance. I could be surprised at that number, but I know too many people with thousands of friends. They are the type of people who accumulate those numbers just for the sake of having a high number.

I've been amazed with the number of (apparent) "escorts" that guys friend on Facebook. Women with a very hot profile pic, but a very sterile profile (no family, few if any posts and some common pop culture "likes" to get their profile pic in circulation). You can find some interesting things looking at friends of friends of friends and so forth.

Yeah, I'd be curious to know how many of the bot accounts used pictures of attractive people for their profile photo, and if that had any impact on the likely-hood of accepting the friend request.

You can record the logins of your friends on Facebook. That is, the times they log in, log out, and naturally, how long they spent online and stuff. You can get a lot of information about behavior patterns from it if you had lots of programming behind it.

You can record the logins of your friends on Facebook. That is, the times they log in, log out, and naturally, how long they spent online and stuff. You can get a lot of information about behavior patterns from it if you had lots of programming behind it.

Why does it feel like I'm the only one who knows you can do this?

Not really. Sometimes I leave my FB open on my home pc while I'm gone at work for the day, so it doesn't actually say anything about how much I spend using it.

That said I've never understood the mentality of people with hundreds of friends; I think my list is like 20 something.

Another explanation is the social games. Many of the FB games require the addition of more friends playing to obtain greater in-game rewards (quests/items/abilities). People tend to create off-FB community forums where people who play can find each other people's profile and add them.

I have complete strangers added - but that was during the games playing stage (mafia wars, cityville) where the more "friends" I have, the more bonuses I had.

Not that it really matters. I don't post things on facebook. I don't understand why ppl need to post about how much they hate their job, or who they slept with, or other stuff like that. The only thing I [used to] post on facebook were zygna game notifications. If my friends want to contact me, there are other mediums available

I have at least 5 facebook friends from Thailand. Not sure why they added me, but it has been interesting conversation.

Others are random canuckistanis that have added me because of mutual friends.

Although honestly, if some random individual comes up to talk to me in a random manner, I generally have the conversation. Met all kinds of interesting folk, some of which were most certainly escapees from the local shelter....

When in real life, approaching someone and asking them if they'd "like to be on their friends list" has a one-in-five chance of resulting in the can of pepper spray being drawn. It's a pretty remarkable contrast...

I have friended people I don't know, but they were friends of friends and I could see that we had similar interests outside of the friend in common.

Reading comprehension FAIL.

The article actually says:

Quote:

The initial batch of friend requests had about a 20 percent success rate. These were unsolicited friend requests between people who couldn't possibly have relationships, and yet one in five people were willing to make the connection. If that complete stranger had a mutual friend in common, the success rate went up to about 60 percent.

So if a friend of yours is stupid enough to friend a bot, you're three times more likely to friend that same bot.

I have friended people I don't know, but they were friends of friends and I could see that we had similar interests outside of the friend in common.

Reading comprehension FAIL.

The article actually says:

Quote:

The initial batch of friend requests had about a 20 percent success rate. These were unsolicited friend requests between people who couldn't possibly have relationships, and yet one in five people were willing to make the connection. If that complete stranger had a mutual friend in common, the success rate went up to about 60 percent.

So if a friend of yours is stupid enough to friend a bot, you're three times more likely to friend that same bot.

To be fair, that's a different story than a complete stranger with no connection at all, so it doesn't surprise me that people are more willing to accept. Compare to real life(loosely). If someone started chatting with you, and you realized you had a friend in common, you may be more likely to continue the conversation. Not saying this is right or wrong, but it's the way humans are wired it seems.

Whether or not people are too trusting or not in general is going to vary from person to person, but this aspect at least makes sense compared to real life.

As for truly random people with no common friends, the percentage might not be that far off from real life either, depending on what culture you're looking at.

To be fair, that's a different story than a complete stranger with no connection at all, so it doesn't surprise me that people are more willing to accept.

This was a study, not an actual phishing expedition. I'd assume a decent phishing attack would clone at least part of your friends interests, etc after friending. That would make people a lot more willing to accept further friend requests.

As actual security flaws are closed and security models are improved, humans are the easiest (and only unpatchable) attack vector left. I wouldn't be surprised if, instead of spamming us, botnets in the future focus more on phishing and fooling us into handing over information freely. We really are that stupid as a species.

Quote:

Compare to real life(loosely). If someone started chatting with you, and you realized you had a friend in common, you may be more likely to continue the conversation. Not saying this is right or wrong, but it's the way humans are wired it seems.

You're right, humans are wired this way. That's the problem with being a social species - we want to be close to those like us, and we fear those that are different (which causes a whole mass of problems in itself). Unfortunately in the modern world, the only place this wiring might work in our favour is online, but that's also the only place we can't actually tell the two groups apart!

Quote:

Whether or not people are too trusting or not in general is going to vary from person to person, but this aspect at least makes sense compared to real life.

What I find interesting is that people in general tend to think real-life society is a lot worse than it really is (they assume higher crime rates, more danger, less social cohesion than is warranted), yet online, as soon as they're actually being attacked they pressume no danger at all. It never occurs to most people that they're individually worth attacking.

As actual security flaws are closed and security models are improved, humans are the easiest (and only unpatchable) attack vector left. I wouldn't be surprised if, instead of spamming us, botnets in the future focus more on phishing and fooling us into handing over information freely. We really are that stupid as a species.

I completely agree. I didn't say it was smart, just that it's not surprising. Honestly, I would've guessed at higher acceptance rates.

To be fair, that's a different story than a complete stranger with no connection at all, so it doesn't surprise me that people are more willing to accept. Compare to real life(loosely). If someone started chatting with you, and you realized you had a friend in common, you may be more likely to continue the conversation. Not saying this is right or wrong, but it's the way humans are wired it seems.

Pretty much. I mean, if I've got 13 mutual friends and I can see you've got pictures of stuff I'm interested (animals, computers, guns), and it looks like you're a real person I'll probably friend you just to see if you've got good stuff to say. I don't post much on my wall that's intensely personal anyway (well, except about my animals...). There's been more than one case (5-6 actually) where I found out that a facebook friend and I had been posting on the same forums for years--in one case even have family in some of the same towns and some RL mutual friends (there's not too many exotic animal people in Alamogordo NM...shouldn't be a huge surprise).